Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Collecting Windows Filtering Platform (WFP) events in LEM

Collecting Windows Filtering Platform (WFP) events in LEM

Updated: September 15, 2017

Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security Log. These alerts are background events that require additional LEM resources to process and are not recommended for an optimized LEM deployment.

About Windows WFP events and LEM performance

By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows noise in group policies has the following advantages:

  • Reduces the space that these events occupy in the Security Event log
  • Reduces network activity
  • Reduces demand on LEM system resources (such as CPU, memory, and disk space)

The Windows Security Log connector stopped collecting WFP data in LEM version 6.2.

Configure LEM to collect WFP events (Optional)

If necessary, you can enable WFP event logging in LEM.

SolarWinds strongly recommends that you keep WFP logging turned off.

To collect WFP events in LEM, configure the Windows Filtering Platform Events connector. Enabling this connector will result in LEM collecting a huge volume of data . To manage this data, see the following sections.

Improve LEM performance by tuning Windows WFP events

If you collect WFP events in LEM, SolarWinds recommends tuning WFP in your Active Directory group policies to decrease the load that background events place on the LEM Manager. The following tables describe alerts located in the Event Distribution Policy in LEM Manager. You can filter out these events by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. LEM will process the remaining events.

In LEM, the terms event and alert are interchangeable .

SolarWinds recommends disabling WFP alerts using Group or Local Policy.

The ProviderSID value in the following alerts match the Windows Security Auditing Event ID format where Event ID is one of the Windows Event IDs listed in the following table.


Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152


Table of Descriptions by Event ID

Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
Last modified